mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-10 15:03:07 +00:00
387c2df15c
The bump to 3.0.8 inadvertently removed patches that are needed here,
but were not adopted upstream. The most important one changes the
default value of the DIGESTS setting from ALL to NONE. The absence of
this patch causes a sysupgrade failure while the engine is in use with
digests enabled. When this happens, the system fails to boot with a
kernel panic.
Also, explicitly set DIGESTS to NONE in the provided config file, and
change the default ciphers setting to disable ECB, which has been
recommended for a long time and may cause trouble with some apps.
The config file change by itself is not enough because the config file
may be preserved during sysupgrade.
For people affected by this bug:
You can either:
1. remove, the libopenssl-devcrypto package
2. disable the engine in /etc/config/openssl;
3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE;
4. update libopenssl-devcrypto to >=3.0.8-3
However, after doing any of the above, **you must reboot the device
before running sysupgrade** to ensure no running application is using
the engine. Running `/etc/init.d/openssl restart` is not enough.
Fixes: 7e7e76afca "openssl: bump to 3.0.8"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
35 lines
1.5 KiB
INI
35 lines
1.5 KiB
INI
[devcrypto]
|
|
# Leave this alone and configure algorithms with CIPERS/DIGESTS below
|
|
default_algorithms = ALL
|
|
|
|
# Configuration commands:
|
|
# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
|
|
# list of supported algorithms, along with their driver, whether they
|
|
# are hw accelerated or not, and the engine's configuration commands.
|
|
|
|
# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
|
|
# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
|
|
# if acceleration can't be determined) [default=2]
|
|
#USE_SOFTDRIVERS = 2
|
|
|
|
# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
|
|
# enable [default=ALL]
|
|
# It is recommended to disable the ECB ciphers; in most cases, it will
|
|
# only be used for PRNG, in small blocks, where performance is poor,
|
|
# and there may be problems with apps forking with open crypto
|
|
# contexts, leading to failures. The CBC ciphers work well.
|
|
CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC, \
|
|
AES-128-CTR, AES-192-CTR, AES-256-CTR
|
|
|
|
# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
|
|
# enable [default=NONE]
|
|
# It is strongly recommended not to enable digests; their performance
|
|
# is poor, and there are many cases in which they will not work,
|
|
# especially when calling fork with open crypto contexts. Openssh,
|
|
# for example, does this, and you may not be able to login.
|
|
# Sysupgrade will fail as well. If you're adventurous enough to change
|
|
# this, you should change it back to NONE, and reboot before running
|
|
# sysupgrade!
|
|
DIGESTS = NONE
|
|
|